Analysis
-
max time kernel
95s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 10:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe
Resource
win10v2004-20240709-en
General
-
Target
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe
-
Size
137KB
-
MD5
82ee11ed81b268ddb650dca21b13ba99
-
SHA1
3c06983cd31d9c469de4087854dbccb3818e835e
-
SHA256
174124e4c690c487ffe0a9b8a607f16a609a1d003cbe8945e4be04158bcd2e67
-
SHA512
d0574a7ef1050a7750b76b0075a3ca8f6064ead954059b0fcc7dc1d4913a50b04eaabfbb53099c09730d06afb29f3a1700b3fa039599ddb87349df65c182ee24
-
SSDEEP
1536:ymFff+GbWDmMAvQmHWlOMDSzWiO5MOYTB6m+GFgp10sWjcdCiIjUA0ZIFy2:ymjbWaMAvx2WSisuB767CiIjDF
Malware Config
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exedescription ioc process File opened (read-only) \??\B: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\H: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\K: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\S: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\T: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\E: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\G: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\L: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\N: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\O: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\Q: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\V: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\X: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\A: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\I: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\M: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\W: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\Y: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\Z: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\J: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\P: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\R: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe File opened (read-only) \??\U: 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exewmic.execmd.exetimeout.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3952 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exepid process 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 5060 wmic.exe Token: SeSecurityPrivilege 5060 wmic.exe Token: SeTakeOwnershipPrivilege 5060 wmic.exe Token: SeLoadDriverPrivilege 5060 wmic.exe Token: SeSystemProfilePrivilege 5060 wmic.exe Token: SeSystemtimePrivilege 5060 wmic.exe Token: SeProfSingleProcessPrivilege 5060 wmic.exe Token: SeIncBasePriorityPrivilege 5060 wmic.exe Token: SeCreatePagefilePrivilege 5060 wmic.exe Token: SeBackupPrivilege 5060 wmic.exe Token: SeRestorePrivilege 5060 wmic.exe Token: SeShutdownPrivilege 5060 wmic.exe Token: SeDebugPrivilege 5060 wmic.exe Token: SeSystemEnvironmentPrivilege 5060 wmic.exe Token: SeRemoteShutdownPrivilege 5060 wmic.exe Token: SeUndockPrivilege 5060 wmic.exe Token: SeManageVolumePrivilege 5060 wmic.exe Token: 33 5060 wmic.exe Token: 34 5060 wmic.exe Token: 35 5060 wmic.exe Token: 36 5060 wmic.exe Token: SeIncreaseQuotaPrivilege 5060 wmic.exe Token: SeSecurityPrivilege 5060 wmic.exe Token: SeTakeOwnershipPrivilege 5060 wmic.exe Token: SeLoadDriverPrivilege 5060 wmic.exe Token: SeSystemProfilePrivilege 5060 wmic.exe Token: SeSystemtimePrivilege 5060 wmic.exe Token: SeProfSingleProcessPrivilege 5060 wmic.exe Token: SeIncBasePriorityPrivilege 5060 wmic.exe Token: SeCreatePagefilePrivilege 5060 wmic.exe Token: SeBackupPrivilege 5060 wmic.exe Token: SeRestorePrivilege 5060 wmic.exe Token: SeShutdownPrivilege 5060 wmic.exe Token: SeDebugPrivilege 5060 wmic.exe Token: SeSystemEnvironmentPrivilege 5060 wmic.exe Token: SeRemoteShutdownPrivilege 5060 wmic.exe Token: SeUndockPrivilege 5060 wmic.exe Token: SeManageVolumePrivilege 5060 wmic.exe Token: 33 5060 wmic.exe Token: 34 5060 wmic.exe Token: 35 5060 wmic.exe Token: 36 5060 wmic.exe Token: SeBackupPrivilege 2896 vssvc.exe Token: SeRestorePrivilege 2896 vssvc.exe Token: SeAuditPrivilege 2896 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.execmd.exedescription pid process target process PID 512 wrote to memory of 5060 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe wmic.exe PID 512 wrote to memory of 5060 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe wmic.exe PID 512 wrote to memory of 5060 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe wmic.exe PID 512 wrote to memory of 1576 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe cmd.exe PID 512 wrote to memory of 1576 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe cmd.exe PID 512 wrote to memory of 1576 512 2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe cmd.exe PID 1576 wrote to memory of 3952 1576 cmd.exe timeout.exe PID 1576 wrote to memory of 3952 1576 cmd.exe timeout.exe PID 1576 wrote to memory of 3952 1576 cmd.exe timeout.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\AppData\Local\Temp\2024-07-25_82ee11ed81b268ddb650dca21b13ba99_gandcrab_karagany_metamorfo.exe" /f /q2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\timeout.exetimeout -c 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3952
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896